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(54) TiUe: INTERNET PROTOCOL TRAFFIC FILTER FOR A MOBILE RADIO NETWORK 
(57) Abstract 

An Internet Protocol traffic filter is provided for a mobile radio 
network (100). A database (21 1) stores access privileges of the mobile 
station (150) for accessing a remote host (130), and access privileges 
of the remote host (130) for accessing the mobile station (150). A 
processor (210) receives (306) data from the mobile station (150) 
addressed to a remote host (130). The processor (210) accesses (310) 
the database (211) to determine (320) whether the mobile station 
(150) is allowed to access the remote host (130), and denies (330) 
access if access is unauthorized. Otherwise, the processor (210) sends 
(340) the data to the remote host (130) if access is authorized. The 
processor (210) also receives (420) data from a remote host (130), and 
determines (440) whether the remote host (130) is allowed to access 
the mobile station (150). The processor (210) denies (450) access 
to the mobile station (150) if the remote host (130) is unauthorized. 
Otherwise, the processor (210) connects (460) the remote host (130) 
to the mobile station (150) if access is authorized. 
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INTERNET PROTOCOL TRAFFIC FILTER 
FOR A MOBILE RADIO NETWORK 

BACKGROUND OF THE INVENTION 
Technical F ield of the Invention 

The present invention pertains in general to a method and apparatus for 
filtering data packets transmitted across a communication network and, more 
particularly, to a method and apparatus for filtering the transmission of data packets 
between a mobile station in a mobile radio network and an Internet Protocol (DP) type 
network. 

Description of the R elated Art 

Packet data services are being introduced at an increasing rate into mobile 
radio networks. Packet data services provide an efficient connection between digital 
terminal eqviipment connected to mobile stations in a mobile radio network and remote 
hosts connected to the Internet. Using a packet data service, data is transmitted 
between the remote host and the digital terminal equipment as discrete data packets. 
The use of discrete data packets allows a mobile radio network operator to convey data 
from several mobile stations on a single channel and, further, to charge mobile station 
subscribers based on the quantity of data transmitted across the mobile radio network 
rather than on the duration of a connection between the mobile station and the remote 
host. 

Using the packet data service, the mobile station subscriber connects digital 
terminal equipment, such as a personal computer, to the Internet or an Internet-like 
network such as an Intranet. This allows the mobile station subscriber to access 
remote hosts on the Intemet and, in turn, allows remote hosts on the Internet to access 
the digital terminal equipment connected to the mobile station. For various reasons, 
mobile station subscribers and the mobile radio network operator may desire to control 
the flow of the IP traffic both to and from the mobile station. For example, since the 
mobile station subscriber is charged for data packets sent to the mobile station 
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subscriber by a remote host, the mobile station subscriber may wish to filter IP traffic 
directed to the digital terminal equipment to certain authorized remote hosts. 

In a similar fashion, the mobile radio network operator may wish to 
individually filter the ability of each mobile station to access remote hosts. For 
5 example, the mobile radio network operator may wish to create a virtual network, 
wherein a select group of mobile station subscribers and remote hosts have access to 
the virtual network. By establishing such virtual networks, the mobile radio network 
operator can charge different tariffs to each mobile station subscriber based on the 
subscriber's membership in one or more of the virtual networks. 

10 Several techniques currently exist for controlling the transmission of data 

between computing devices over a network. These techniques apply both to hosts on 
the same network as well as to hosts located on different networks. For example, 
firewalls are commonly used as barriers between an intemal network and external 
hosts to prevent the intemal network from unauthorized access by the external hosts 

15 or others. The firewall also prevents the transmission of data from the extemal host 

to hosts on the intemal network. 

Other techniques for filtering traffic on a commxmication network involve 
filtering the communication of data to certain segments of a single or multiple 
commimication networks. Such techniques are based on the address of the destination 

20 host and apply indiscriminately to all hosts. These filtering techniques are designed 
to increase the bandwidth of the communication network by filtering communication 
of the data to only those segments of the conmiunication network necessary for the 
data to reach the destination host from the originating host. 

It would be advantageous to devise a method and apparatus to individually 

25 filter IP traffic for each mobile station in a mobile radio network so as to filter 
communication between digital terminal equipment connected to a mobile station on 
a mobile radio network and remote hosts located on an Internet. It would also be 
advantageous if such a method and apparatus allowed both the mobile station 
subscriber and the mobile radio network operator to independently establish access 

30 privileges to and from the digital terminal equipment. 
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SUMMARY OF THE INVENTION 

The present invention comprises an IP traffic filter for a mobile radio network. 
A database stores access privileges for the mobile station to access a remote host, and 
access privileges for the remote host to access the mobile station. A processor 
5 receives data fi*om the mobile station addressed to a remote host. The processor 
accesses a local copy of the database to determine whether the mobile station is 
allowed to access the remote host, and denies access if access to the remote host by the 
mobile station is unauthorized. Otherwise, the processor allows access to a remote 
host if access to the remote host is authorized. 
10 The processor also receives data from a remote host addressed to the mobile 

station, and determines whether the remote host is allowed to access the mobile 
station. The processor denies access to the mobile station if the remote host is 
unauthorized. Otherwise, the processor allows the remote host to access the mobile 
station if access to the mobile station by the remote host is authorized. 

15 

BRIEF DESCRIPTION OF THE DRAWINGS 

For a more complete understanding of the present invention, reference is made 
to the following detailed description taken in conjunction with the accompanying 
drawings wherein: 

20 FIGURE 1 is a functional block diagram of an IP traffic filter for a mobile 

radio network consistent with a preferred embodiment of the present invention; 

FIGURE 2 is a flow diagram of a method for filtering access to a remote host 
by a mobile station consistent with the preferred embodiment of the present invention; 
and 

25 FIGURE 3 is a flow diagram of a method for filtering access to digital terminal 

equipment connected to a mobile station by a remote host consistent with the preferred 
embodiment of the present invention. 

DETAILED DESCRIPTION OF THE INVENTION 
30 Referring now to Figure 1, there is illustrated a functional block diagram of an 

IP traffic filter consistent with a preferred embodiment of the present invention. A 
mobile radio network 100 conununicates with an Internet 110 via a router 120. The 
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mobile radio network 100 can be any type of mobile radio network, such as, for 
example, a cellular telephone network, and can be implemented using any appropriate 
architecture or air interface standard. For illustrative purposes, the mobile radio 
network 100 is described as implementing a Personal Digital Cellular (PDC) protocol 
5 Likewise, the Internet 110 can be any type of network following IP standards. The 

Intemet 1 10 is connected to one or more remote hosts 130. Digital terminal equipment 
140, such as a personal computer, communicates with the remote host 130 via a 
mobile station 150, and the mobile station 150 communicates with a base station 160 
of the mobile radio network 100 via an air interface 170. 

1 0 For voice communication, the base station 1 60 commimicates with the mobile 

radio network 100 through a Visited Mobile services Switching Center (VMSC) 180 
via a speech communication link 190. For data communications, the base station 160 
communicates with a Packet Mobile services Switching Center (PMSC) 210 through 
the VMSC 180 via a packet data service link 200. The PMSC 210 is responsible for 

1 5 handling data packets commtmicated to and from the digital terminal equipment 140. 

The PMSC 210 communicates with the Intemet 110 via the router 120. 
Information regarding the access privileges of the mobile station 150 and the remote 
host 130 are stored in a database located in a Home Location Register (HLR) 220. 

20 The PMSC 210 maintains a local copy 2 1 1 of access privileges contained in the HLR 
220 for all mobile stations 150 which have registered their presence in the mobile 
radio network 100. The data contained in the databases can be entered or modified 
by the mobile radio operator via the operation center 240. The data contained in the 
databases can also be entered or modified by the mobile station subscriber. As an 

25 example, the user interface for the subscriber can be a web server accessible from the 
Intemet 110 and provides a service for entering and modifying filter parameters. 
Operation of the base station 160, the VMSC 180 and the HLR 220 to effectuate voice 
communication between the mobile station 150 and the mobile radio network 100, is 
performed by conventional methods. Likewise, data packet communication between 

30 digital terminal equipment 140 and remote hosts 130 is performed by conventional 
methods. 
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The databases located in the HLR 220 and the local copy 211 store 
infonnation associated with the mobile station 150 identifying which remote hosts 130 
the mobile station 150 is allowed to access. The databases also contain information 
identifying which remote hosts 130 are allowed to access the mobile station 150. The 
data contained in the databases can be entered or modified by the mobile radio 
operator via the operation center 240. The data contained in the databases can also be 
entered or modified by the mobile station subscriber. As an example, the user 
interface for the subscriber can be a web server accessible from the Intemet 110 and 
provides a service for entering and modifying filter parameters. 

Referring now to Figure 2, there is illustrated a method for filtering IP traffic. 
When a mobile station 150 initiates operation in the mobile radio network 100, the 
mobile station 150 registers its presence with the mobile radio network 100 (step 290) 
and in response the PMSC 210 updates the local database 211 (step 295). The 
computing device 140 sends data to a remote host 130(step 300) and the data is 
relayed through the VMSC 180 to the PMSC 210 (step 305). The PMSC 210 receives 
the identity of the mobile station 150 included with the data which, in this exemplary 
embodiment, is a mobile station International Mobile Station Identity (IMSI) number 
associated with the mobile station 150. The PMSC 210 also receives an IP address 
associated with the mobile station 150 and the digital terminal equipment 140, as well 
as the IP address of the remote host 130 (step 306). The PMSC 210 accesses the local 
database 21 1 to determine the access privileges of the mobile station 150 to access the 
remote host 130 (step 310). The database in the HLR 220 and the local database 21 1 
contain a list of allowed remote hosts 130 associated with the mobile station 150 or, 
in an alternative, the databases contain a Ust of disallowed remote hosts 130 associated 
with the mobile station 150. In any event, the PMSC 210 receives the information and 
determines whether the mobile station 150 is authorized to access the remote host 130 
based on the information contained in the local database 21 l(step 320). In another 
embodiment of the present invention, the database in the HLR 220 and the local 
database 21 1, group the mobile station 150 and the remote hosts 130 into one or more 
virtual networks. Access to the remote host 130 from the mobile station 150, as well 
as access from the remote host 130 to the mobile station 150, is based on membership 
in a particular virtual network. 
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After determining the access rights of the mobile station 150 in step 320, the 
PMSC 210 either allows, or denies access based on the determination. If the PMSC 
210 has determined that access is not allowed, the PMSC 210 issues a denial message 
to the mobile station 150 (step 330). Otherwise, if the PMSC 210 determines that 
access is allowed, the PMSC 210 continues sending the data to the Internet 110 (step 
340). The PMSC 210 sends data to the Internet 110 via the router 120 in a 
conventional manner. 

Referring now to Figure 3, there is illustrated a flow diagram of a method for 
filtering requests to digital terminal equipment connected to a mobile station by a 
remote host consistent with the preferred embodiment of the present invention. When 
a mobile station 150 initiates operation in the mobile radio network 100, the mobile 
station 150 registers its presence with the mobile radio network 100 (step 390) and in 
response the PMSC 210 updates the local database 21 1 (step 395). The remote host 
130 sends a data packet to the PMSC 210(step 400) via the Internet 110 and the router 
120. The router 120 receives the data and relays the data to the PMSC 210 (step 410), 
The PMSC 210 receives the data (step 420) and accesses the local database 211 (step 
430). The PMSC 210 uses the information contained in the database to determine 
whether access by the remote host 130 to the digital terminal equipment 140 connected 
to the mobile station 150 is allowed (step 440). If access is not allowed, the PMSC 
210 issues a denial to the remote host 130 (step 450). Otherwise, the PMSC 210 sends 
the data to the digital terminal equipment 140 connected to the mobile station 150 via 
the mobile radio network 100 (step 460). 

Storing the data pertaining to access privileges in the HLR 220 enables the use 
of current roaming functions which are well known in the industry. This allows 
subscribers to roam between different mobile radio networks and with the access 
privileges data remaining valid 

Although a preferred embodiment of the method and apparatus of the present 
invention has been illustrated in the accompanying Drawings and described in the 
foregoing Detailed Description, it is understood that the invention is not limited to the 
embodiment disclosed, but is capable of numerous rearrangements, modifications, and 
substitutions without departing firom the spirit of the invention as set forth and defined 
by the following claims. 
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WHAT IS CLAIMED IS: 

1 . An IP traffic filter for a mobile radio network comprising: 

a database for storing access privileges of a mobile station for accessing 
a remote host, and access privileges of said remote host for accessing said mobile 
station; and 

a processor for routing data to and fi-om said mobile station, the 
processor fiirther for accessing said database to determine access privileges, and for 
denying or allowing access in response to a determined access privilege. 

2. The IP traffic filter of Claim 1, wherein said processor comprises a 
PMSC in said mobile radio network. 

3. The IP filter recited of Claim 1, fiirther comprising a HLR for 
maintaining said database. 

4. The IP filter recited in Claim 1, fiirther comprising a router for 
connecting said mobile radio network to an Internet. 

5 . The IP filter recited in Claim 1 , fiirther comprising a means for entering 
and modifying data said database. 

6. The IP filter recited in Claim 5, wherein said means for entering and 
modifying data in said database comprises an Intemet web server. 

7. A method for filtering IP traffic originating from a mobile station in a 
mobile radio network, comprising the steps of: 

receiving data fi-om said mobile station to addressed to a remote host; 
determining access rights of said mobile station to access said remote 

host; 

denying access to said remote host if said access is unauthorized; and 
forwarding said data to said remote host if said access is authorized. 
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8. The method of Claim 7, wherein the step of receiving data addressed 
to said remote host comprises the steps of: 

receiving an identity of the said mobile station; 

receiving an IP address of said remote host; and 

receiving an IP address associated with said mobile station. 

9. The method of Claim 8, wherein the step of receiving said identity of 
said mobile station comprises receiving an IMSI number associated with said mobile 
station. 

10. The method of Claim 8, wherein the step of determining access rights 
of said mobile station comprises comparing the IP address of said remote host against 
a list of allowed destination hosts associated with said mobile station. 

1 1 . The method of Claim 8, wherein the step of determining access rights 
of said mobile station comprises comparing said IP address of said remote host against 
a list of disallowed destination hosts associated with said mobile station. 

12. The method of Claim 8, wherein the step of determining access rights 
of said mobile station comprises comparing the IP address of said remote host and 
said identity of said mobile station against membership in a virtual network. 

13. A method for filtering IP traffic directed to a mobile station in a mobile 
radio network fi^om a remote host comprising the steps of: 

receiving data addressed to said mobile station; 
determining access rights of said remote host; 

denying access to said mobile station if access to said mobile station 
by said remote host is unauthorized; otherwise 

sending data fi*om said remote host to said mobile station if said access 
to said mobile station by said remote host is authorized. 



wo 99/33291 



PCT/SE98/02322 



-9- 

14. The method of Claim 13, wherein the step of determining said access 
rights of said remote host comprises comparing said IP address of said remote host 
against a list of allowed originating remote hosts associated with said mobile station. 

5 15. The method of Claim 13, wherein the step of determining said access 

rights of said remote host comprises comparing said IP address of said remote host 
against a list of disallowed originating remote hosts associated with said mobile 
station. 

10 16. The method of Claim 13, wherein the step of determining said access 

rights of said remote host comprises comparing said IP address of said remote host and 
said identity of said mobile station against membership in a virtual network. 

17. The method of Claim 13, wherein the step of denying access to said 
15 mobile station comprises transmitting a denial message to said remote host. 

1 8. The method of Claim 13, wherein the step of determining said access 
rights of said remote host further comprises converting said IP address of said mobile 
station to an associated mobile station ISDN number. 
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